carverauto/serviceradar

fix(nats): grant platform-services publish on serviceradar_plugins object store (#3425) #3525

Merged

mfreeman451 merged 1 commit from fix/nats-platform-object-store-acl into staging

2026-06-04 06:57:20 +00:00

mfreeman451 commented

2026-06-04 06:36:13 +00:00

Owner

web-ng's Plugins.Storage writes native add-on bundles, plugin WASM blobs, and dashboard artifacts into the serviceradar_plugins JetStream object store. The platform-services credential only allowed $JS.API.>/$JS.ACK.>, so chunk PUTs to $O.serviceradar_plugins.C.<nuid> were rejected with "Permissions Violation for Publish to $O.serviceradar_plugins.C.".

Adds $O.serviceradar_plugins.> (covers .C and .M) and $JS.FC.OBJ_serviceradar_plugins.> (large-object flow control) to PublishAllow in generatePlatformAccount, and mirrors the read subject into SubscribeAllow. Scoped to the bucket; raw host-slice publish stays denied.

⚠️ Permissions are baked into the issued user JWT at bootstrap, so the demo's existing platform.creds must be regenerated (re-run nats bootstrap) for this to take effect.

🤖 Generated with Claude Code

web-ng's `Plugins.Storage` writes native add-on bundles, plugin WASM blobs, and dashboard artifacts into the `serviceradar_plugins` JetStream object store. The `platform-services` credential only allowed `$JS.API.>`/`$JS.ACK.>`, so chunk PUTs to `$O.serviceradar_plugins.C.<nuid>` were rejected with "Permissions Violation for Publish to $O.serviceradar_plugins.C.<id>". Adds `$O.serviceradar_plugins.>` (covers .C and .M) and `$JS.FC.OBJ_serviceradar_plugins.>` (large-object flow control) to PublishAllow in `generatePlatformAccount`, and mirrors the read subject into SubscribeAllow. Scoped to the bucket; raw host-slice publish stays denied. ⚠️ Permissions are baked into the issued user JWT at bootstrap, so the demo's existing `platform.creds` must be regenerated (re-run nats bootstrap) for this to take effect. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

mfreeman451 added 1 commit

2026-06-04 06:36:13 +00:00

fix(nats): grant platform-services publish on serviceradar_plugins object store (#3425 )

lint / lint (push) Successful in 1m11s

Details

Secret Scan / gitleaks (pull_request) Successful in 22s

Details

Golang Tests / test-go (push) Successful in 1m50s

Details

lint / lint (pull_request) Successful in 1m58s

Details

CI / build (pull_request) Failing after 14m33s

Details

1d6b024f10

web-ng's Plugins.Storage writes native add-on bundles, plugin WASM blobs,
and dashboard artifacts into the serviceradar_plugins JetStream object
store. The platform-services credential (platform.creds) only allowed
$JS.API.>/$JS.ACK.>, so chunk PUTs to $O.serviceradar_plugins.C.<nuid>
were rejected with "Permissions Violation for Publish to
$O.serviceradar_plugins.C.<id>".

Add $O.serviceradar_plugins.> (covers .C and .M) and
$JS.FC.OBJ_serviceradar_plugins.> (large-object flow control) to
PublishAllow, and mirror $O.serviceradar_plugins.> into SubscribeAllow
for GET. Scoped to the bucket; raw host-slice publish stays denied.

NOTE: permissions are baked into the issued user JWT at bootstrap, so the
demo's existing platform.creds must be regenerated (re-run nats bootstrap)
for this to take effect.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

mfreeman451 merged commit b6d00f6f6a into staging

2026-06-04 06:57:20 +00:00

mfreeman451 referenced this pull request from a commit

2026-06-04 06:57:22 +00:00

Merge pull request 'fix(nats): grant platform-services publish on serviceradar_plugins object store (#3425)' (#3525) from fix/nats-platform-object-store-acl into staging

Sign in to join this conversation.

No reviewers

No labels

Failed compliance check

Possible security concern

Review effort 1/5

Review effort 2/5

Review effort 3/5

Review effort 4/5

Review effort 5/5

device-management

good first issue

serviceradar-agent

serviceradar-agent-gateway

serviceradar-web

serviceradar-web-ng

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

carverauto/serviceradar!3525

No description provided.